experimental/webtry/seccomp_bpf.h - Issue 228693002: Initial code for webtry, a web application for allowing users to try out Skia.

Side by Side Diff: experimental/webtry/seccomp_bpf.h

Issue 228693002: Initial code for webtry, a web application for allowing users to try out Skia. (Closed) Base URL: https://skia.googlesource.com/skia.git@master

Patch Set: More cleanup Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 /*

	2 * seccomp example for x86 (32-bit and 64-bit) with BPF macros

	3 *

	4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>

	5 * Authors:

	6 * Will Drewry <wad@chromium.org>

	7 * Kees Cook <keescook@chromium.org>

	8 *

	9 * Use of this source code is governed by a BSD-style license that can be

	10 * found in the LICENSE file.

	11 */
	mtklein 2014/04/08 19:00:23 I gather this is pulled from chromium/src somewher I gather this is pulled from chromium/src somewhere? Can you provide a pointer so that it's clear where to look if we want to update, or if for some reason someone actually wanted to look at LICENSE? Actually, can we grab these couple files and the LICENSE and put them in their own dir in third_party with a note about how they got there? jcgregorio 2014/04/09 14:10:31 Stripped the file down to its absolute minimum and Stripped the file down to its absolute minimum and added a pointer to the original file. On 2014/04/08 19:00:23, mtklein wrote: Show quoted text > I gather this is pulled from chromium/src somewhere? Can you provide a pointer > so that it's clear where to look if we want to update, or if for some reason > someone actually wanted to look at LICENSE? > > Actually, can we grab these couple files and the LICENSE and put them in their > own dir in third_party with a note about how they got there?
	12 #ifndef _SECCOMP_BPF_H_

	13 #define _SECCOMP_BPF_H_

	14

	15 #define _GNU_SOURCE 1

	16 #include <stdio.h>

	17 #include <stddef.h>

	18 #include <stdlib.h>

	19 #include <errno.h>

	20 #include <signal.h>

	21 #include <string.h>

	22 #include <unistd.h>

	23

	24 #include <sys/prctl.h>

	25 #ifndef PR_SET_NO_NEW_PRIVS

	26 # define PR_SET_NO_NEW_PRIVS 38

	27 #endif

	28

	29 #include <linux/unistd.h>

	30 #include <linux/audit.h>

	31 #include <linux/filter.h>

	32 #ifdef HAVE_LINUX_SECCOMP_H

	33 # include <linux/seccomp.h>

	34 #endif

	35 #ifndef SECCOMP_MODE_FILTER

	36 # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */

	37 # define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */

	38 # define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */

	39 # define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */

	40 struct seccomp_data {

	41 int nr;

	42 __u32 arch;

	43 __u64 instruction_pointer;

	44 __u64 args[6];

	45 };

	46 #endif

	47 #ifndef SYS_SECCOMP

	48 # define SYS_SECCOMP 1

	49 #endif

	50

	51 #define syscall_nr (offsetof(struct seccomp_data, nr))

	52 #define arch_nr (offsetof(struct seccomp_data, arch))

	53

	54 #if defined(__i386__)

	55 # define REG_SYSCALL REG_EAX

	56 # define ARCH_NR AUDIT_ARCH_I386

	57 #elif defined(__x86_64__)

	58 # define REG_SYSCALL REG_RAX

	59 # define ARCH_NR AUDIT_ARCH_X86_64

	60 #else

	61 # warning "Platform does not support seccomp filter yet"

	62 # define REG_SYSCALL 0

	63 # define ARCH_NR 0

	64 #endif

	65

	66 #define VALIDATE_ARCHITECTURE \
	mtklein 2014/04/08 19:00:23 Is it important that I (or we, you?) understand wh Is it important that I (or we, you?) understand what's going on in here? I'm willing to learn, of course, but just as willing to glaze over magic if this is unmodified working code. jcgregorio 2014/04/09 14:10:31 See above. On 2014/04/08 19:00:23, mtklein wrote: See above. On 2014/04/08 19:00:23, mtklein wrote: Show quoted text > Is it important that I (or we, you?) understand what's going on in here? I'm > willing to learn, of course, but just as willing to glaze over magic if this is > unmodified working code.
	67 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \

	68 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \

	69 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

	70

	71 #define EXAMINE_SYSCALL \

	72 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)

	73

	74 #define ALLOW_SYSCALL(name) \

	75 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \

	76 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)

	77

	78 #define KILL_PROCESS \

	79 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

	80

	81 #endif /* _SECCOMP_BPF_H_ */

OLD	NEW

« experimental/webtry/main.cpp ('K') | « experimental/webtry/result.cpp ('k') | experimental/webtry/server.py » ('j') | experimental/webtry/syscall_names.h » ('J')